MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499
SHA3-384 hash: a0412854fbd5346a495f869a941ea21cca7781f25d2e24c63159b37e75355940b23a5f52e8cc81806f38f8d7e5f7980a
SHA1 hash: 4794afb417405b5c475593c21fa3ee9c3dc6808a
MD5 hash: 3ea49df84a80eb88c10d6d4a5b518e61
humanhash: london-lamp-mango-charlie
File name:Banktelex07102020#pdf.exe
Download: download sample
File size:241'664 bytes
First seen:2020-10-19 10:47:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:Nj9ZKh2WP9wzR3qXoILXGrtI1I4wP0Gn1Ih84mOfZX9sceSM0+D:R9EJ9wt2L2C1Iz0i1h4L9c
Threatray 310 similar samples on MalwareBazaar
TLSH 0B3423EC4ACD8BA6D86D57F3D0A360164052A5AA9A03CF3F26C172485F67327B53137B
Reporter abuse_ch
Tags:exe Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic310-37.consmr.mail.ir2.yahoo.com
Sending IP: 77.238.177.58
From: Very !mportant????! <gabevvarna01@yahoo.com>
Subject: Fw: Bank Account Error
Attachment: Banktelex07102020pdf.rar (contains "Banktelex07102020#pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72911/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/495278
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300096 Sample: Banktelex07102020#pdf.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 84 46 Multi AV Scanner detection for submitted file 2->46 48 Sigma detected: Add file from suspicious location to autostart registry 2->48 50 .NET source code contains very large array initializations 2->50 52 Machine Learning detection for sample 2->52 7 Banktelex07102020#pdf.exe 8 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 38 C:\Users\user\AppData\Roaming\...\inte.exe, PE32 7->38 dropped 40 C:\Users\user\...\inte.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\...\Banktelex07102020#pdf.exe.log, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\Temp\...\Xxl.dll, PE32 7->44 dropped 62 Tries to detect virtualization through RDTSC time measurements 7->62 15 cmd.exe 1 7->15         started        17 inte.exe 4 7->17         started        20 inte.exe 3 11->20         started        signatures5 process6 file7 23 reg.exe 1 1 15->23         started        26 conhost.exe 15->26         started        36 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 17->36 dropped 28 inte.exe 17->28         started        30 inte.exe 17->30         started        32 inte.exe 17->32         started        34 2 other processes 17->34 54 Multi AV Scanner detection for dropped file 20->54 56 Machine Learning detection for dropped file 20->56 58 Tries to detect virtualization through RDTSC time measurements 20->58 signatures8 process9 signatures10 60 Creates an autostart registry key pointing to binary in C:\Windows 23->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499/
Threat name:
ByteCode-MSIL.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 06:58:43 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3qxak7scrft2oamo6fmoix4u2cu7b4uzcw67um2lqhnici5wsmq._file
Verdict:
unknown
Similar samples:
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
540254a20d7d4aec2508a9db7e1fdb484ebc5bcec6ff72c919b17b5f0dbabdd7
654f5bbb743d83702c9e1b41253866f395b519105abf39aa712c32d89baf3f6e
699246185c85441b5c4760d0a1a7d9ce0ea21d9b7a37442e0c05c4731489320b
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
d1083064361eedc5d0465c53adf843b19e4cc66d074ee60d1a43fac3c536bd36
e17e57c83291e9ea8006511e2ac0a92d2a1d21b612b62f4ac2977f574b072234
e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
f94d7839e0a58e3c070f7c8d5a08558d10447c950388c9398fbb56917b4dc855
+ 300 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201019-jc6ppqmdas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499
MD5 hash:
3ea49df84a80eb88c10d6d4a5b518e61
SHA1 hash:
4794afb417405b5c475593c21fa3ee9c3dc6808a
Link:
https://www.unpac.me/results/94a17d57-25af-4fca-ae77-8d1fd1809777/
SH256 hash:
27f290f62b69459fd550f4472b6897dd510c97af159745256d8bd10e8bf5d69e
MD5 hash:
6c6123eb24f7b97a45e19e8b942c6bb6
SHA1 hash:
3185b1ed260650a6013670f9879819eb3ec1be02
Link:
https://www.unpac.me/results/94a17d57-25af-4fca-ae77-8d1fd1809777/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/94a17d57-25af-4fca-ae77-8d1fd1809777/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar d515afb332acfc8f5c9ee9229bceb8b36365b8ca206c04d11debb0ff67b37787

Executable exe 56e1702bf2144b3d380c778ac722fca6854f8794c8adefd19a5c0ed4091db499

(this sample)

  
Dropped by
MD5 03a9e29d37118f0c995ea2755176d241
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72911/
  
Dropped by
SHA256 d515afb332acfc8f5c9ee9229bceb8b36365b8ca206c04d11debb0ff67b37787

Comments